Professional Documents
Culture Documents
STM32 Security Workshop 03 SBSFU Presentation
STM32 Security Workshop 03 SBSFU Presentation
03 SBSFU presentation
Agenda
2
Agenda
3
Basic principle of a secure boot
• A secure boot is a code executed after reset that verifies the application firmware
is genuine before launching it or not!
Secure Boot
Read firmware Application firmware execution
Reset Check integrity &
authenticity
Launch
Launch application
only if authentic 03-4
What makes a secure boot secure ?
Secure Boot is the only possible code executed after reset
Secure Boot
Reset Immutable
03-5
How integrity & Authenticity are checked ?
• Hash value and signature value need to be provided with the firmware !
• They are stored in a container called either meta data or header
• No need to encrypt the meta data thanks to signature mechanism.
03-6
Meta data
Secure Boot
Read firmware Meta data: Application firmware
Signature
Reset Check integrity &
authenticity
Launch
Launch application
only if authentic 03-7
How meta data is built ?
RSA or
Private key
ECDSA Fw digest Hash Secure
RSA or ECC
Sign Room
03-8
How secure boot verifies the signature ?
Public key
RSA or ECC
RSA or
Computed Fw
ECDSA
digest
Verify
Hash
status
Secure boot
03-9
Agenda
10
From secure boot to secure firmware update
03-11
Secure firmware update principle
03-12
First step : create an update file
Development
RSA or station
Private key
ECDSA Digest Hash Secure
RSA or ECC
Sign Room
Firmware build
03-13
Second step : transmit update file to target
• 2 possible ways:
• 1- File sent remotely. Case of IOT with connection to a server
• 2- File transmitted thanks to a local connection (UART, USB, SDCard, I2C, SPI)
• In all cases the update file needs to be written on target flash with a loader
• The loader can be
• 1- part of the secure boot
• 2- a standalone application
• 3- part of the application firmware
03-14
Third step : installation of the update
03-15
How new firmware can replace old one
• Local transfer
• Can be handled from secure boot, standalone application or even application itself
• If loader is located in secure boot or standalone application, it can first erase application and
then load the new one
• Remote transfer
• IOT common case : application transfers new firmware from remote server.
• New firmware needs to be stored locally while current firmware is still running
• If application has to manage the update, 2 slots are required:
• a slot storing the active firmware
• A slot storing the downloaded firmware
03-16
Local update example
Server/update station
• Erase old firmware
• Transfer update firmware
• Check integrity & authenticity. Erase if fail
Serial
communication
Loader
Meta data Application firmware new
Secure Boot Meta data
new
Public key
RSA or ECC
03-17
Remote Update Server
Remote update example
Loader
Launch 03-18
Slot Active Slot Update
Update firmware encryption
03-19
Create an encrypted update file
RSA or Secure Development
Private key station
ECDSA Digest HASH Room
RSA or ECC
Sign
Firmware build
AES Key AES
Application firmware
Loader
AES Key
Meta data Application
Application firmwarefirmware new
encrypted new
Secure Boot Meta data
new
Public key
RSA or ECC
03-22
Key protection
03-23
Conclusion
• We have seen the basic principles used in a secure boot and secure firmware
update
• As you can see this involves many concepts that require some development
• Also, STM32 family implements different security mechanisms
03-24
Agenda
25
What is X-CUBE-SBSFU ?
03-26
Important notice
03-27
SBSFU in a Nutshell
• X-CUBE-SBSFU is a standalone package containing full functional secure boot and secure
firmware update examples for each supported STM32 family: F4, F7, G0, G4, H7, L0, L1, L4,
L4+STSAFE, WB
• Current version is STM32CubeExpansion_SBSFU_V2.4.0
• 34 examples available
• 1 image (10) : Use of 1 SLOT
• 2 images (13) : Use of 2 SLOTS
• 2 images OSC (6) : Use opensource crypto instead of X-Cube-Cryptolib
• 2 images STSAFE (1): Use of STSafe to store the certificate chain
• 2 images KMS (2) : Key Management System : key store
• 2 images ExtFlash (2) : Use of external memory to store firmware
• Documentation :
• Introduction to STM32 microcontrollers security (AN5156)
• Getting started with the X-CUBE-SBSFU STM32Cube Expansion Package (UM 2262)
• Integration guide for the X-CUBE-SBSFU STM32Cube Expansion Package (AN5056)
03-28
Package content
03-29
Agenda
30
How SBSFU addresses security requirements ?
03-31
Confidentiality of the firmware
03-32
Unique entry point
• Ensure that after a reset, the platform always boots at the same address
• This feature is ensured thanks to RDP Level 2
• The RDP Level 2 deactivates the ability to boot on system bootloader or RAM
03-33
Code Immutability
• Ensure that secure boot code and authentication key cannot be modified in any
manner
• This feature is ensured thanks to the combination of WRP and RDP Level 2
• WRP (Write protection) is setup thanks to option bytes
• WRP can be setup to protect a selection of flash sectors
• The RDP level 2 makes option bytes no more changeable.
03-34
RDP usage
• RDP Level 2 brings the confidentiality + bootlock + immutability (with WRP) for all
STM32.
• On recent STM32 families RDP Level 1 can be used with some limitations
• This concerns G0, G4 and H7 implementing secure memory
• The combination of RDP1 and secure memory brings the impossibility to connect
with debugger and the inability to change the content of secure memory
• Confidentiality is ensured thanks to jtag deactivation
• Unique boot entry ensured thanks to BOOT_LOCK on G0 and G4
• Immutability ensured thanks to secure memory
03-35
Cryptography integration and isolation
03-36
Additional security mechanisms
• Tamper
• Watchdog
• Disable debug GPIOs
• Disable DMA clocks to enforce MPU protection
03-37
SBSFU security mechanisms handling
03-38
Conclusion
03-40
Agenda
41
How SBSFU uses cryptography ?
• After security mechanisms are properly setup, the cryptography operations can be
securely executed
• SBSFU uses following crypto algorithms :
• Integrity: SHA256
• Authentication: Elliptic curve ECDSA with p256 curve
• Confidentiality: AES CBC
03-42
SBSFU authentication process
03-43
SBSFU meta data
Application firmware
SBSFU Header
FW Version
FW Size
SHA256 Application fw digest
FW digest
Private key
ECC p256
03-44
SBSFU integrity and authenticity check
RSA or
Computed meta SBSFU
Public key ECDSA
data digest
ECC p256 Verify
Computed Fw
Compare
digest
Meta data signature
OK.
Next step: Check FW SHA256
digest SHA256 FW digest OK
Application is
genuine
FW Version
FW Size
SBSFU Application firmware
FW digest
Meta data
signature
03-45
Agenda
47
SBSFU architecture overview
03-48
SBSFU Application and secure engine
SBSFU FW Version
FW Size
Application firmware
AES Key FW digest
Public key
ECC p256 Meta data
signature
SBSFU
Gate
Execute Crypto operations Interface Uses SE API to perform crypto
and Store Keys API operations
03-49
Package Architecture Overview
Secure Bootloader & Secure Firmware Update Basic User Application
SECURITY ACTIVATION
Local FW loader loader
FW version Standalone
Call Gate Entry point
management FW Loader
FW User Code
Error management / User Appli
Crypto for Example
Recovery procedures Secure Image Boot.Info
Bootloader
Functions Helpers
Drivers
Activate dynamic
security protections
YES
Check request fw download Download new firmware using local
loader or standalone into Slot Dwl
NO
YES
Check Current fw to install Install new firmware (swap) Reset
YES
Verify current fw is authentic Launch application fw
NO
03-52
Dynamic security setting
03-53
SBSFU FLASH mapping on STM32L476
intvect_start
SBSFU vector table SE_Code_region_ROM_start Use of symbols to gather
Secure Engine information used by different
SE_Code_region_ROM_end / SE_IF_region_ROM_start
SE interface SE_IF_region_ROM_end / SB_region_ROM_start
projects in one place.
SBSFU
__ICFEDIT_SB_region_ROM_end__/__ICFEDIT_SLOT_Dwl_1_start_
Download image header (512) _
Slot_Dwl_1
Download image
Slot_Active_1 after Slot_Dwl_1 to
__ICFEDIT_SLOT_Dwl_1_end__
address a constraint specific to firewall
V __ICFEDIT_SLOT_Active_1_start__ usage on STM32L4.
Active Image header (512)
Slot_Active_1
Active image
__ICFEDIT_SLOT_Active_1_end__ / __ICFEDIT_SWAP_start__
Swap area
__ICFEDIT_SWAP_end__
03-55
SBSFU figures
• Memory footprint
• Flash : between 32 KB and 56 KB depending on features, debug, target and compiler used.
• RAM : 4KB used by the secure engine
• Boot time
• Boot time mainly depends on the crypto operations(about 90% of boot time)
• This depends on the performance of addressed target and available hardware accelerator.
• Order of magnitude is between 100ms and 1 second
• Update time
• The update time depends on
• Download interface speed
• Flash writing speed
• Note that single image update is much faster compared to dual image update
03-56
Agenda
57
SBSFU package advanced features
03-58
Update options in 2 images
03-59
Multislot
• In order to manage multi core devices SBSFU can define up to 3 active slots
• Associated to these slots you can have up to 3 download slots
• It is possible to keep only 1 download slot for 3 active slots
• SBSFU check authenticity and integrity of each slot at startup
03-60
Agenda
61
Conclusion
03-62
Thank you